IN THE CLAIMS 
Please amend the claims as follows: 
Claims 1-9 (Canceled). 

Claim 10 (New): A method of producing a system architecture including a plurality 
of electrical components connected to each other, the components including electronic 
control units, sensors and actuators, the method comprising: 

a) identifying a set of undesirable events and ascribing to each of the undesirable 
events an indicator of their severity; 

b) associating where possible each of the undesirable events with one or more 
actuators of the system architecture; 

c) developing a functional specification of an initial architecture proposed for 
implementation of the system architecture, the functional specification of the initial 
architecture including dataflow for and between electrical components thereof; 

d) refining on the functional specification fault tolerance requirements associated 
with the severity of each of the undesirable events and issuing refined fault tolerance 
requirements of the functional specification; 

e) producing replicates in the functional specification together with attached 
indicators of independence of the replicates, the indicators reflecting the refined fault 
tolerance requirements; 

f) defining a hardware structure for the system architecture; 

g) mapping the functional specification onto the hardware structure; and 

h) verifying automatically that the indicators of independence are preserved 
during the mapping. 



2 



Claim 1 1 (New): A method according to claim 10, wherein the system includes a 
fault tolerant system. 

Claim 12 (New): A method according to claim 10, including, in the developing (c), 
defining a series of modes of operation. 

Claim 13 (New): A method according to claim 12, wherein the modes of operation 
include nominal and limp-home modes. 

Claim 14 (New): A method according to claim 12, including specifying the series of 
modes in a form of one or more state charts. 

Claim 15 (New): A method according to claim 10, further including mapping 
geometrically hardware components and/or wiring and then verifying automatically that the 
indicators of independence are preserved by the geometrical mapping. 

Claim 16 (New): A method according to claim 10, further including specifying the 
severity in a form of probability of failure per unit of time. 

Claim 17 (New): A method according to claim 10, further including outputting a set 
of data for use in manufacturing the system architecture. 

Claim 18 (New): A method according to claim 10, wherein the system architecture 
includes a safety critical architecture for a vehicle. 
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Claim 19 (New): A method according to claim 10, wherein the hardware structure is 
in a form of a series of electronic control units connected to each other by networks. 

Claim 20 (New): A computer program product comprising a computer readable 
medium having thereon computer program code means, when the program is loaded, to make 
the computer execute a procedure to design and verify a system architecture, the procedure 
comprising: 

a) identifying a set of undesirable events and ascribing to each of the undesirable 
events an indicator of their severity; 

b) associating where possible each of the undesirable events with one or more 
actuators of the system architecture; 

c) developing a functional specification of an initial architecture proposed for 
implementation of the system architecture, the functional specification of the initial 
architecture including dataflow for and between components thereof; 

d) refining on the functional specification fault tolerance requirements associated 
with the severity of each of the undesirable events and issuing refined fault tolerance 
requirements of the functional specification; 

e) producing replicates in the functional specification together with attached 
indicators of independence of the replicates, the indicators reflecting the refined fault 
tolerance requirements; 

f) defining a hardware structure for the system architecture; 

g) mapping the functional specification onto the hardware structure; and 

h) verifying automatically that the indicators of independence are preserved 
during the mapping. 
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Claim 21 (New): A method according to claim 20, wherein the hardware structure is 
in a form of a series of electronic control units connected to each other by networks. 

Claim 22 (New): A computer program product according to claim 20, wherein the 
components include sensors or actuators. 

Claim 23 (New): A design tool configured for design and verification of a system 
architecture, the system architecture including a plurality of electrical components connected 
to each other, the components including electronic control units, sensors, and actuators, the 
design tool configured to: 

a) identify a set of undesirable events and ascribe to each of the undesirable 
events an indicator of their severity; 

b) associate where possible each of the undesirable events with one or more 
actuators of the system architecture; 

c) develop a functional specification of an initial architecture proposed for 
implementation of the system architecture, the functional specification of the initial 
architecture including dataflow for and between components thereof; 

d) refine on the functional specification fault tolerance requirements associated 
with the severity of each of the undesirable events and issue refined fault tolerance 
requirements of the functional specification; 

e) produce replicates in the functional specification together with attached 
indicators of independence of the replicates, the indicators reflecting the refined fault 
tolerance requirements; 

f) define a hardware structure for the system architecture; 

g) map the functional specification onto the hardware structure; and 
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h) verify automatically that the indicators of independence are preserved during 
the mapping. 

Claim 24 (New): A method according to claim 23, wherein the system includes a 
fault tolerant system. 

Claim 25 (New): A computer program product according to claim 23, wherein the 
components include sensors or actuators. 

Claim 26 (New): A method according to claim 23, wherein the hardware structure is 
in a form of a series of electronic control units connected to each other by networks. 
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